Privacy Policy

Last updated: 6 March 2026

Stackfolio ("we", "us", "our") is operated by T & H Negus Pty Ltd (ABN 57 651 444 147), an Australian company serving users in both Australia and New Zealand. This policy applies to all users of stackfolio.com.au and stackfolio.co.nz (which redirects to stackfolio.com.au).

We are committed to protecting your personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth) and the Information Privacy Principles (IPPs) under the Privacy Act 2020 (NZ). This policy explains what information we collect, why we collect it, how we use it, who we share it with, and how you can control your data.

1. Information We Collect

Information you provide directly

  • Account details: Name, email address, and password (or Google account identifier if you sign in with Google).
  • Financial data: Bank transaction descriptions, amounts, dates, account names, balances, loan details, property details, stock holdings, precious metal holdings, and superannuation / KiwiSaver fund statements and transaction histories.
  • Retirement fund documents: Annual statement PDFs uploaded for import (Australian superannuation or New Zealand KiwiSaver). These may contain your name, address, member number, employer details, tax file number (AU) or IRD number (NZ), beneficiary information, and full financial history — see Section 6 for how we handle these.
  • Payment information: If you subscribe to a paid plan, Stripe processes your payment. We store only your payment method type and last four digits — never your full card number.
  • Google sign-in: If you use Google OAuth, we receive your name and email. We do not access your Google contacts, calendar, or any other Google data.

Information collected automatically

  • IP addresses: Logged for security monitoring and audit purposes.
  • Usage data: Pages visited, features used, and timestamps (used to improve the product — not shared with analytics providers).

Information we derive

  • Spending categories: We may automatically categorise your bank transactions using AI — see Section 5 for full details.
  • Portfolio valuations: Calculated from your holdings and current market prices.

2. How We Use Your Information

We use your information to:

  • Provide and maintain your Stackfolio account
  • Import and display your financial data
  • Calculate portfolio valuations, net worth, and spending summaries
  • Categorise bank transactions (with your consent — see Section 5)
  • Send account-related emails (verification, password reset, monthly reports if you opt in)
  • Process payments via Stripe
  • Monitor security and prevent unauthorised access
  • Improve the product based on aggregated, anonymised usage patterns

We do not use your information for advertising or sell it to third parties.

3. Who We Share Your Information With

We share your information with the following third parties, and only as described below.

Provider Country What is shared Purpose
Anthropic (Claude AI) United States Bank transaction descriptions, amounts, and your category correction history Automatic transaction categorisation
Stripe United States Email address, payment method details Payment processing for paid plans
Google United States Email address (during OAuth sign-in only) Authentication
Bunny Fonts European Union IP address (via font loading) Font delivery
DigitalOcean Sydney, Australia All data (stored on our server) Infrastructure / hosting
Note on data leaving Australia: Anthropic (AI), Stripe (payments), and Google (authentication) are based in the United States. Data sent to these services is subject to their respective privacy policies and US law. We minimise what is shared — see each section below for exactly what is transmitted.
For New Zealand users: Stackfolio is hosted in Australia (DigitalOcean Sydney data centre). Your data is stored and processed in Australia. Under the Privacy Act 2020 (NZ), we ensure your personal information receives equivalent protection to what is required under New Zealand law. Australia is recognised as having comparable privacy protections.

We do not share your data with any data brokers, advertisers, or analytics services.

4. Data Security

We protect your information with multiple layers of security:

  • Encryption at rest: Sensitive fields (account numbers, property addresses, super fund member numbers, bank transaction descriptions) are encrypted in our database using AES-256-CBC.
  • Encryption in transit: All data is transmitted over HTTPS with TLS 1.2 or higher.
  • Super fund PDFs: Encrypted with AES-256-CBC before storage, decrypted only by authorised administrators for the purpose of building a parser.
  • Password hashing: Passwords are hashed using bcrypt with a cost factor of 12.
  • Session security: Sessions are encrypted, HTTP-only, secure-flagged, and use strict same-site policy.
  • Admin access: Administrative tools are restricted by IP whitelist, separate authentication credentials, and role-based access control.
  • Audit logging: All financial data changes (creates, edits, deletes) are logged immutably with timestamps and IP addresses.
  • Infrastructure: Our server is hosted on DigitalOcean in Sydney, Australia. All user data (including data from New Zealand users) is stored in this Australian data centre.

5. AI-Powered Transaction Categorisation

When you import bank statements, Stackfolio can automatically suggest spending categories using Anthropic's Claude AI. This feature only runs when you trigger it — it does not run automatically in the background without your action.

What data IS sent to Anthropic

  • Transaction descriptions (e.g. "COLES 7656 LAUNCESTON AUS")
  • Transaction amounts
  • Your previous category corrections (e.g. "'COLES' → Groceries") used as context

What data is NOT sent to Anthropic

  • Your name, email, or account details
  • Your account balances or net worth
  • Super fund data, property details, or investment holdings
  • Your full transaction history (only uncategorised batches)
Anthropic's API does not retain data after processing, per their privacy policy. However, data is transmitted to and processed on servers in the United States.

Your control

  • AI categorisation only runs when you trigger it manually or via bulk assign — never silently in the background.
  • You can categorise all transactions manually without AI at any time.
  • Category corrections you make are stored locally to improve future suggestions without re-sending large data sets.

6. Retirement Fund PDF Submissions

If your superannuation fund (AU) or KiwiSaver scheme (NZ) is not yet supported, you can optionally submit your annual statement PDF so we can build an automated parser for it. This is entirely voluntary.

What happens when you submit a PDF

  • The PDF is encrypted using AES-256-CBC before being stored on our server.
  • Only Stackfolio administrators can decrypt and view the PDF, and only for the purpose of building the parser.
  • Your PDF is permanently deleted within 30 days of the parser being built, or within 7 days if your submission is not accepted.
  • You can request immediate deletion of your submitted PDF at any time by contacting us.
  • No super fund PDF data is ever shared with third parties or processed by AI.
Your retirement fund PDF may contain highly sensitive information including your name, address, member number, employer name, contribution history, account balance, investment options, beneficiary nominations, and tax file number (AU TFN) or IRD number (NZ). We understand this and treat submitted PDFs with the highest level of care. A clear consent checkbox is required before any submission.

7. Data Retention

Data type Retention period
Account data (name, email)Until you delete your account
Financial data (transactions, assets, loans)Until you delete your account
Superannuation / KiwiSaver statements and transactionsUntil you delete your account (7 years recommended for AU ATO / NZ IRD purposes)
Retirement fund PDF submissions30 days after parser built, or 7 days if rejected
Audit logs12 months, then automatically purged
Category correction historyUntil you delete your account
Payment recordsManaged by Stripe per their retention policy
Session data120 minutes of inactivity

When you delete your account, all of your data is permanently deleted from our systems — including all financial records, transactions, assets, category corrections, audit log entries, and any submitted PDF files. This deletion is immediate and irreversible.

8. Your Rights and Choices

Under the Australian Privacy Principles (APPs) and the New Zealand Information Privacy Principles (IPPs), you have the right to:

Access your data

You can download a copy of all your Stackfolio data at any time from Account Settings → Export Your Data. This generates a ZIP archive containing CSV files of all your financial records (transactions, assets, loans, super fund data, and category settings). Encrypted fields are included in readable form in the export since you own your data. You can also contact us at privacy@stackfolio.com.au if you require data in another format.

Correct your data

You can edit or correct any of your financial data directly within Stackfolio at any time.

Delete your data

You can delete your entire account and all associated data from Account Settings → Delete Account. This is permanent and cannot be undone.

Opt out of AI categorisation

You can categorise all transactions manually at any time without using the AI feature. Contact us if you wish to have your existing category correction history deleted.

Request PDF deletion

If you have submitted a retirement fund PDF for review, you can request its immediate deletion by contacting us at privacy@stackfolio.com.au.

Lodge a complaint

If you believe we have not handled your personal information appropriately, you can lodge a complaint with the relevant authority:

  • Australia: Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au or 1300 363 992
  • New Zealand: Office of the Privacy Commissioner — www.privacy.org.nz or 0800 803 909

9. Cookies

Stackfolio uses only essential cookies required for:

  • Session management — keeping you logged in
  • CSRF protection — preventing cross-site request forgery attacks

We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.

10. Data Breach Notification

In the event of a data breach that is likely to result in serious harm, we will:

  1. Notify the relevant authority — the Office of the Australian Information Commissioner (OAIC) under Australia's Notifiable Data Breaches scheme, and the Office of the Privacy Commissioner (NZ) where New Zealand users are affected, as required under the Privacy Act 2020 (NZ).
  2. Notify affected users as soon as practicable, including what information was involved, what we are doing in response, and what steps you can take to protect yourself.
  3. Take immediate steps to contain the breach and prevent further unauthorised access.

11. Children's Privacy

Stackfolio is not intended for use by anyone under 18 years of age. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it promptly.

12. Open Banking Data (New Zealand)

New Zealand users may connect their bank accounts via Akahu, a regulated open banking provider operating under the Customer and Product Data Act 2025 (NZ). When you connect via Akahu, you consent to share your banking data (transactions, balances, account details) through Akahu's secure API.

  • Akahu acts as a regulated intermediary — we never receive your bank login credentials.
  • You can revoke Akahu access at any time through your Akahu dashboard or your bank.
  • Data received from Akahu is treated identically to manually imported bank statements — it is encrypted at rest and subject to all protections described in this policy.

For more information on Akahu's data handling practices, see Akahu's privacy policy.

13. Additional Information for New Zealand Users

If you are based in New Zealand, the following additional information applies to you:

  • Applicable law: Your personal information is processed in accordance with the Information Privacy Principles (IPPs) under the Privacy Act 2020 (NZ), in addition to the Australian Privacy Principles.
  • Data location: Your data is stored in Australia (DigitalOcean Sydney data centre). Australia is recognised as providing comparable privacy protections to New Zealand.
  • KiwiSaver: References to "superannuation" or "super fund" throughout this policy and in the application also apply to KiwiSaver schemes.
  • Complaints: You may lodge a complaint with the Office of the Privacy Commissioner at www.privacy.org.nz or by calling 0800 803 909.
  • Currency: The service supports AUD, NZD, and USD. You can set your preferred display currency in Account Settings.

14. Changes to This Policy

We may update this policy from time to time. If we make material changes, we will notify you by email or by displaying a notice within the application before the changes take effect. The "Last updated" date at the top of this policy indicates when it was last revised. Continued use of Stackfolio after changes constitutes acceptance of the updated policy.

15. Contact Us

If you have questions about this privacy policy, want to access or correct your information, or want to make a complaint about how we handle your data, contact us at:

Stackfolio

Email: privacy@stackfolio.com.au

If you are not satisfied with our response, you can lodge a complaint with the relevant privacy authority:

Australia — OAIC

New Zealand — Privacy Commissioner